Siemens SCALANCE and RUGGEDCOM
Monitor4.3ICS-CERT ICSA-25-162-03Jun 10, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Industrial Communication Devices based on SINEC OS before version 3.1 contain an incorrect authorization check vulnerability (CWE-269) that allows an attacker with guest-level access to perform actions exceeding the guest role's intended permissions. This affects RUGGEDCOM RST2428P and 30 variants of SCALANCE switches used in manufacturing and critical infrastructure networks. The vulnerability is caused by improper validation of user roles during administrative operations. Siemens has released version 3.1 firmware that corrects the authorization logic for all affected products.
What this means
What could happen
An attacker with guest-level access to your network switch or router could escalate their permissions beyond what the guest role allows, potentially modifying device configuration or accessing sensitive information. This affects industrial network switches that may be critical to process automation communication.
Who's at risk
Manufacturing facilities using Siemens SCALANCE industrial Ethernet switches (XC, XCH, XCM, XR, XRH, XRM series) or RUGGEDCOM RST2428P rugged switches. These are network switches used to connect PLCs, I/O modules, HMIs, and other industrial devices. Anyone with a water treatment plant, electrical substation SCADA network, or manufacturing facility automation control system using these switches should assess their environment.
How it could be exploited
An attacker on your network with guest credentials (or who gains guest access) can bypass authorization checks on SINEC OS-based switches and routers (SCALANCE and RUGGEDCOM devices) to perform administrative actions that should be restricted to higher-privileged roles. The attacker authenticates with the guest account and then performs operations that the authorization logic fails to properly block.
Prerequisites
- Network access to the device management interface (HTTP/HTTPS, typically port 80/443)
- Valid guest-level credentials or ability to obtain them (guest credentials are often default/shared)
- Device running affected SINEC OS version (before V3.1)
remotely exploitablelow complexityaffects network infrastructure devices (impacts all connected systems)large number of affected products
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (29)
29 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RST2428P (6GK6242-6PA00)< V3.13.1
SCALANCE XC316-8< V3.13.1
SCALANCE XC324-4< V3.13.1
SCALANCE XC324-4 EEC< V3.13.1
SCALANCE XC332< V3.13.1
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to device management interfaces using firewall rules; ensure only authorized engineering/administrative workstations can reach the switch management port
HARDENINGDisable or change default guest credentials if the device supports this configuration
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected SCALANCE and RUGGEDCOM devices to firmware version 3.1 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate industrial switches from untrusted networks (including corporate IT networks)
HARDENINGUse VPN or out-of-band access for all remote management of these devices
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/16cc8e0d-804d-444d-a038-185666a51ff0